Correctly configuring SNORT to block limewire from the LAN side
I've got SNORT humming along, but…I can not get it to block P2P/Limewire stuff.
P4 2.8Ghz, 1GB DDR-400, 40GB IDE drive.
PFSense 1.2.3-Release, Snort 2.8.6, 1.27, Squid 2.7.9_1 and Lightsquid 1.7.1, also BandwidthD 18.104.22.168
I've enabled SNORT on the WAN interface, manually updating the rules (thanks for the guide RUNE!!) and I can select rulesets.
Rulesets enabled are emerging-p2p and p2p (along with a handful of others covering virus, spyware, scan, exploit etc)
I'm hoping to build an all-round decent firewall with IPS detection and caching.
Now the problem: Torrenting seems to be blocked now, but I can still fire up Limewire, search and download. I have the block offenders ticked, and when I look in the alerts log I do see things triggered with my WAN port as the source. I get entries in the blocked list if I fire up bitlord and try a download, the hosts are all external IPs, but limewire just keeps going.
Can someone please assist me with this? I'm running out of ideas. Once I get this all working I'm intending to replace a Sonicwall (with the security subscriptions configured), but I need this to do the same base functions first :)
Bump - Anyone?
Do I need to configure SNORT on the LAN interface instead of the WAN interface?
Out of curiosity, do you have UPnP disabled ?
PNP is disabled in the BIOS of the PFSense box.
Is there another setting I need to disable or change? PFSense is all default with the exception of the Squid, Lightsquid, BandwidthD and SNORT packages installed.
GruensFroeschli last edited by
DigitalJer is talking about UPnP http://en.wikipedia.org/wiki/Universal_Plug_and_Play not PNP.
In pfsense web gui:
Services / UPnP, and ensure the "Enable UPnP" is de-selected.
Not sure why Snort isn't blocking, but if for some reason UPnP is enabled, Limewire will happily open up all the ports it needs to communicate.
Ah - yes. uPNP is not enabled.
I have configured SNORT to scan the WAN interface. Is this correct, or should SNORT be checking the LAN interface for Limewire?
Ideally I want things like Limewire (I'm using this as an example, I'd like to block ALL P2P packages) and torrenting etc blocked silently - EG Limewire just doesn't connect without banning the host (Local LAN PC) from the Internet.
Any more ideas?
First of all PfSense is not a L7 firewall. Completly blocking P2P will probably be mission imposible. You can run a tight outgoing policy set with only allowing port 80 and a few other to the outside, but P2P uses http ports as much as any other. What you can do, is use the trafic shaper to slow down P2P to a minimal or use a trafic quota for the users.
What I do is allow my users full access, log the trafic and penalize them if theyre breaking the rules. Never had any need to block anything for them since I run that kind of policy.
Hope it helps.
Sorry for the OT, but that's a good point; and that's how we treat our users in our office - like adults. The new hires usually get a brief speech from one of us, to the effect of; we're all adults - complete and unfettered Internet usage isn't a problem unless it becomes a problem and/or we hear something from management.
aka - gaming, slacking, surfing YouTube all day isn't our issue - it's a management issue. Sure, we know who the slackers are - but usually keep quiet unless it's supremely excessive (causes bottlenecks or otherwise becomes disruptive), or management asks. Sometimes we'll drop hints to a manager…and the problem quickly fixes itself. Five years of this philosophy has resulted in only ONE person receiving discipline, no viruses, and only token spyware.
We're not the Internet police :) ...every office is different, but it's sure nice to be free of this stuff.
First of all PfSense is not a L7 firewall.
It is in 2.0 :-)